python: ParameterNode is the one used publicly

- it contains also synthesized nodes, but getParameter returns none for these. - hide isParameterOf
2026-05-02 12:15:17 +02:00 · 2022-06-21 12:38:40 +00:00
parent 8a2125353d
commit 2c2395ffd7
15 changed files with 29 additions and 30 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatchPointsTo.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatchPointsTo.qll
@@ -662,6 +662,8 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
 * flow graph.
 */
 abstract class ParameterNodeImpl extends Node {
+  abstract Parameter getParameter();
+
  /**
   * Holds if this node is the parameter of callable `c` at the
   * (zero-based) index `i`.
@@ -676,6 +678,8 @@ class SummaryParameterNode extends ParameterNodeImpl, TSummaryParameterNode {

  SummaryParameterNode() { this = TSummaryParameterNode(sc, pos) }

+  override Parameter getParameter() { none() }
+
  override predicate isParameterOf(DataFlowCallable c, int i) { sc = c and i = pos }

  override DataFlowCallable getEnclosingCallable() { result = sc }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -22,7 +22,7 @@ import DataFlowDispatchPointsTo
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }

 /** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, ParameterPosition pos) {
  p.isParameterOf(c, pos)
 }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -289,14 +289,11 @@ ExprNode exprNode(DataFlowExpr e) { result.getNode().getNode() = e }
 * flow graph.
 */
 class ParameterNode extends Node, TParameterNode instanceof ParameterNodeImpl {
-  /**
-   * Holds if this node is the parameter of callable `c` at the
-   * (zero-based) index `i`.
-   */
-  final predicate isParameterOf(DataFlowCallable c, int i) { super.isParameterOf(c, i) }
+  /** Gets the parameter corresponding to this node, if any. */
+  final Parameter getParameter() { result = super.getParameter() }
 }

-/** A parameter node foudn in the source code (not in a summary). */
+/** A parameter node found in the source code (not in a summary). */
 class SourceParameterNode extends ParameterNodeImpl, CfgNode {
  //, LocalSourceNode {
  ParameterDefinition def;
@@ -313,7 +310,7 @@ class SourceParameterNode extends ParameterNodeImpl, CfgNode {
  override DataFlowCallable getEnclosingCallable() { this.isParameterOf(result, _) }

  /** Gets the `Parameter` this `ParameterNode` represents. */
-  Parameter getParameter() { result = def.getParameter() }
+  override Parameter getParameter() { result = def.getParameter() }
 }

 class LocalSourceParameterNode extends SourceParameterNode, LocalSourceNode { }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll
@@ -44,7 +44,7 @@ private DataFlowPrivate::DataFlowCallable getCallableForArgument(
 }

 /** Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. */
-predicate callStep(DataFlowPublic::ArgumentNode nodeFrom, DataFlowPublic::ParameterNode nodeTo) {
+predicate callStep(DataFlowPublic::ArgumentNode nodeFrom, DataFlowPrivate::ParameterNodeImpl nodeTo) {
  // TODO: Support special methods?
  exists(DataFlowPrivate::DataFlowCallable callable, int i |
    callable = getCallableForArgument(nodeFrom, i) and
--- a/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/lib/semmle/python/frameworks/Aiohttp.qll
@@ -442,7 +442,7 @@ module AiohttpWebModel {
   * handler is invoked.
   */
  class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
-    DataFlow::SourceParameterNode {
+    DataFlow::ParameterNode {
    AiohttpRequestHandlerRequestParam() {
      exists(Function requestHandler |
        requestHandler = any(AiohttpCoroutineRouteSetup setup).getARequestHandler() and
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2238,8 +2238,7 @@ module PrivateDjango {
   *
   * See https://docs.djangoproject.com/en/3.1/ref/forms/validation/#form-and-field-validation
   */
-  private class DjangoFormFieldValueParam extends RemoteFlowSource::Range,
-    DataFlow::SourceParameterNode {
+  private class DjangoFormFieldValueParam extends RemoteFlowSource::Range, DataFlow::ParameterNode {
    DjangoFormFieldValueParam() {
      exists(DjangoFormFieldClass cls, Function meth |
        cls.getAMethod() = meth and
@@ -2582,7 +2581,7 @@ module PrivateDjango {
  // ---------------------------------------------------------------------------
  /** A parameter that will receive the django `HttpRequest` instance when a request handler is invoked. */
  private class DjangoRequestHandlerRequestParam extends DjangoImpl::Http::Request::HttpRequest::InstanceSource,
-    RemoteFlowSource::Range, DataFlow::SourceParameterNode {
+    RemoteFlowSource::Range, DataFlow::ParameterNode {
    DjangoRequestHandlerRequestParam() {
      this.getParameter() = any(DjangoRouteSetup setup).getARequestHandler().getRequestParam()
      or
@@ -2647,7 +2646,7 @@ module PrivateDjango {
   *  - https://docs.djangoproject.com/en/3.1/topics/http/file-uploads/#handling-uploaded-files-with-a-model
   */
  private class DjangoFileFieldUploadToFunctionFilenameParam extends RemoteFlowSource::Range,
-    DataFlow::SourceParameterNode {
+    DataFlow::ParameterNode {
    DjangoFileFieldUploadToFunctionFilenameParam() {
      exists(DataFlow::CallCfgNode call, DataFlow::Node uploadToArg, Function func |
        this.getParameter() = func.getArg(1) and
--- a/python/ql/lib/semmle/python/frameworks/Fabric.qll
+++ b/python/ql/lib/semmle/python/frameworks/Fabric.qll
@@ -176,7 +176,7 @@ private module FabricV2 {
    }

    class FabricTaskFirstParamConnectionInstance extends Fabric::Connection::ConnectionClass::InstanceSource,
-      DataFlow::SourceParameterNode {
+      DataFlow::ParameterNode {
      FabricTaskFirstParamConnectionInstance() {
        exists(Function func |
          func.getADecorator() = Fabric::Tasks::task().getAUse().asExpr() and
--- a/python/ql/lib/semmle/python/frameworks/FastApi.qll
+++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll
@@ -88,7 +88,7 @@ private module FastApi {
   * Pydantic model.
   */
  private class PydanticModelRequestHandlerParam extends Pydantic::BaseModel::InstanceSource,
-    DataFlow::SourceParameterNode {
+    DataFlow::ParameterNode {
    PydanticModelRequestHandlerParam() {
      this.getParameter().getAnnotation() = Pydantic::BaseModel::subclassRef().getAUse().asExpr() and
      any(FastApiRouteSetup rs).getARequestHandler().getArgByName(_) = this.getParameter()
@@ -102,7 +102,7 @@ private module FastApi {
   * A parameter to a request handler that has a WebSocket type-annotation.
   */
  private class WebSocketRequestHandlerParam extends Starlette::WebSocket::InstanceSource,
-    DataFlow::SourceParameterNode {
+    DataFlow::ParameterNode {
    WebSocketRequestHandlerParam() {
      this.getParameter().getAnnotation() = Starlette::WebSocket::classRef().getAUse().asExpr() and
      any(FastApiRouteSetup rs).getARequestHandler().getArgByName(_) = this.getParameter()
@@ -308,7 +308,7 @@ private module FastApi {
     * A parameter to a FastAPI request-handler that has a `fastapi.Response`
     * type-annotation.
     */
-    class RequestHandlerParam extends InstanceSource, DataFlow::SourceParameterNode {
+    class RequestHandlerParam extends InstanceSource, DataFlow::ParameterNode {
      RequestHandlerParam() {
        this.getParameter().getAnnotation() =
          getModeledResponseClass(_).getASubclass*().getAUse().asExpr() and
--- a/python/ql/lib/semmle/python/frameworks/Invoke.qll
+++ b/python/ql/lib/semmle/python/frameworks/Invoke.qll
@@ -40,7 +40,7 @@ private module Invoke {
            or
            exists(Function func |
              func.getADecorator() = invoke().getMember("task").getAUse().asExpr() and
-              result.(DataFlow::SourceParameterNode).getParameter() = func.getArg(0)
+              result.(DataFlow::ParameterNode).getParameter() = func.getArg(0)
            )
          )
          or
--- a/python/ql/lib/semmle/python/frameworks/RestFramework.qll
+++ b/python/ql/lib/semmle/python/frameworks/RestFramework.qll
@@ -183,7 +183,7 @@ private module RestFramework {
   * request handler is invoked.
   */
  private class RestFrameworkRequestHandlerRequestParam extends Request::InstanceSource,
-    RemoteFlowSource::Range, DataFlow::SourceParameterNode {
+    RemoteFlowSource::Range, DataFlow::ParameterNode {
    RestFrameworkRequestHandlerRequestParam() {
      // rest_framework.views.APIView subclass
      exists(RestFrameworkApiViewClass vc |
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -1957,8 +1957,7 @@ private module StdlibPrivate {
    abstract class InstanceSource extends DataFlow::Node { }

    /** The `self` parameter in a method on the `BaseHttpRequestHandler` class or any subclass. */
-    private class SelfParam extends InstanceSource, RemoteFlowSource::Range,
-      DataFlow::SourceParameterNode {
+    private class SelfParam extends InstanceSource, RemoteFlowSource::Range, DataFlow::ParameterNode {
      SelfParam() {
        exists(HttpRequestHandlerClassDef cls | cls.getAMethod().getArg(0) = this.getParameter())
      }
@@ -2086,7 +2085,7 @@ private module StdlibPrivate {
     *
     * See https://docs.python.org/3.10/library/wsgiref.html#wsgiref.simple_server.WSGIRequestHandler.get_environ
     */
-    class WSGIEnvirontParameter extends RemoteFlowSource::Range, DataFlow::SourceParameterNode {
+    class WSGIEnvirontParameter extends RemoteFlowSource::Range, DataFlow::ParameterNode {
      WSGIEnvirontParameter() {
        exists(WsgirefSimpleServerApplication func |
          if func.isMethod()
@@ -2110,8 +2109,8 @@ private module StdlibPrivate {
      t.start() and
      exists(WsgirefSimpleServerApplication func |
        if func.isMethod()
-        then result.(DataFlow::SourceParameterNode).getParameter() = func.getArg(2)
-        else result.(DataFlow::SourceParameterNode).getParameter() = func.getArg(1)
+        then result.(DataFlow::ParameterNode).getParameter() = func.getArg(2)
+        else result.(DataFlow::ParameterNode).getParameter() = func.getArg(1)
      )
      or
      exists(DataFlow::TypeTracker t2 | result = startResponse(t2).track(t2, t))
--- a/python/ql/lib/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -127,7 +127,7 @@ private module Tornado {

        /** The `self` parameter in a method on the `tornado.web.RequestHandler` class or any subclass. */
        private class SelfParam extends InstanceSource, RemoteFlowSource::Range,
-          DataFlow::SourceParameterNode {
+          DataFlow::ParameterNode {
          SelfParam() {
            exists(RequestHandlerClass cls | cls.getAMethod().getArg(0) = this.getParameter())
          }
--- a/python/ql/lib/semmle/python/frameworks/Twisted.qll
+++ b/python/ql/lib/semmle/python/frameworks/Twisted.qll
@@ -143,7 +143,7 @@ private module Twisted {
   * when a twisted request handler is called.
   */
  class TwistedResourceRequestHandlerRequestParam extends RemoteFlowSource::Range,
-    Request::InstanceSource, DataFlow::SourceParameterNode {
+    Request::InstanceSource, DataFlow::ParameterNode {
    TwistedResourceRequestHandlerRequestParam() {
      this.getParameter() = any(TwistedResourceRequestHandler handler).getRequestParameter()
    }
@@ -156,7 +156,7 @@ private module Twisted {
   * that is also given remote user input. (a bit like RoutedParameter).
   */
  class TwistedResourceRequestHandlerExtraSources extends RemoteFlowSource::Range,
-    DataFlow::SourceParameterNode {
+    DataFlow::ParameterNode {
    TwistedResourceRequestHandlerExtraSources() {
      exists(TwistedResourceRequestHandler func, int i |
        func.getName() in ["getChild", "getChildWithDefault"] and i = 1
--- a/python/ql/lib/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
+++ b/python/ql/lib/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
@@ -72,7 +72,7 @@ private DataFlow::Node getSimpleMethodReferenceWithinClass(Function func) {
    pragma[only_bind_into](cls).getAMethod() = func and
    pragma[only_bind_into](cls).getAMethod() = otherFunc
  |
-    selfRefOtherFunc.getALocalSource().(DataFlow::SourceParameterNode).getParameter() =
+    selfRefOtherFunc.getALocalSource().(DataFlow::ParameterNode).getParameter() =
      otherFunc.getArg(0) and
    result.(DataFlow::AttrRead).accesses(selfRefOtherFunc, func.getName())
  )
--- a/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
+++ b/python/ql/lib/semmle/python/frameworks/internal/SelfRefMixin.qll
@@ -22,7 +22,7 @@ abstract class SelfRefMixin extends Class {
   */
  private DataFlow::TypeTrackingNode getASelfRef(DataFlow::TypeTracker t) {
    t.start() and
-    result.(DataFlow::SourceParameterNode).getParameter() = this.getAMethod().getArg(0)
+    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
    or
    exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
  }